STIG ID - BACF1039: Limit Access to Libraries Containing EXIT Modules

Severity
: 1- High
The z/OS operating system contains many exit points. Most major components of z/OS provide exit points allowing data centers to tailor the system to meet unique requirements. Exit points are also provided in some IBM program products and subsystems. Vendors of applications software also typically provide exit points. Exits can introduce security exposures within the system, modify audit trails, and alter individual user capabilities. Unauthorized access could result in the compromise of the operating system environment, external security manager, and customer data.
The organization must ensure that write or greater access to libraries containing z/OS and other system-level exits is limited to system programmers and activity is logged.
This STIG article shows how to identify system exits, how to limit write or greater access to only system programmers, and how to log all access using
Auditor
.
Identify Audit Finding
Review the following data to determine if you should consider remediation.
Follow these steps:
  1. Identify libraries containing z/OS and other system-level exits using
    Auditor
    . Exits are kept in many places. Some are kept in LPA libraries, others are kept in linklist libraries, some are linked into the system nucleus in SYS1.NUCLEUS. For most system exits, the component and load module name provide an indication of where the exit resides. Create an
    Auditor
    Batch Script from the
    Auditor
    - SELECT BATCH FUNCTIONS 0.4.2 menu to identify the libraries.
    • Type D for Reporting Option.
    • Type S for Line command.
    -----------------CA Auditor - SELECT BATCH FUNCTIONS----------------- Specify file used to retain SCRIPT: File name ===> 'your.AUDITOR.R121.BASEPROC' Member name ===> PPT34 (For libraries only) on Volume ===> (If not cataloged) Script Description ===> Overwrite Script ===> NO (YES to overwrite already existing Script) Reporting Option ===>
    D
    (Enter S for Summary) (Enter E for Exception) (Enter D for Detailed) Line command ===>
    S
    (Used with Detail or Exception modes)
    ****** ***************************** Top of Data ****************************** 000001 * A *** CA-Examine BATCH FACILITY SCRIPT *** CREATED: USER002 20.254 000002 OPT FULL S 000003 CMD 3 000004 CMD 6 000005 CMD =X ****** **************************** Bottom of Data ****************************
  2. Run the Batch Script created from the
    Auditor
    function 0.4.3.
  3. Review access to libraries containing exit modules ensure the following:
    • Write or greater access is limited to system programmers.
    • Read access to all users as needed.
    • All write or greater access to exit modules is logged.
      ACF ACCESS DSN('SYS1.NUCLEUS') ACCESS Subcommand Results as of 08/03/20-2:20 for: SYS1.NUCLEUS $Key: SYS1 Ruleline: NUCLEUS UID(*****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A) ACF
      In this example, the system programmer has write and allocate permission to SYS1.NUCLEUS, with all access being logged
  4. If write or greater access to libraries containing exit modules is limited to system programmers and all activity is logged,
    your organization does not have an audit finding
    .
  5. If write or greater access to libraries containing exit modules is not limited to system programmers or if write access or greater is not logged,
    your organization has an audit finding.
    See Remediate Audit Findings
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring that write or greater access to the libraries that contain system exit modules are limited to system programmers and all activity is logged.
Follow these steps:
  1. Evaluate the impact of correcting the deficiency and develop a plan of action to implement the required changes.
  2. Implement controls to specify only system programmers are authorized write or greater access to libraries that contain system exit modules:
    RECKEY SYS1 ADD(NUCLEUS UID(****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A)
    or
    RECKEY SYS1 ADD(NUCLEUS ROLE(ZSYSPROG) READ(L) WRITE(L) ALLOC(L) EXEC(A)
    In this example, the SYSPROG is now authorized to read, write, allocate, and execute, with logging, the SYS1.NUCLEUS data set. and alter SYS1.NUCLEUS.
Implementing controls to the libraries containing exit modules protects your organization's operating system environment, external security manager, and customer data.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213, CCI-002234
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-002234
Published Date
:
2013-06-24
Definition
:
The information system audits the execution of privileged functions.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (9)